From: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>
commit 4acc902ed3743edd4ac2d3846604a99d17104359 upstream.
pci_epc_destroy() invokes pci_bus_release_domain_nr() to release the PCI
domain ID, but there are two issues:
- 'epc->dev' is passed to pci_bus_release_domain_nr() which was already
freed by device_unregister(), leading to a use-after-free issue.
- Domain ID corresponds to the EPC device parent, so passing 'epc->dev'
is also wrong.
Fix these issues by passing 'epc->dev.parent' to
pci_bus_release_domain_nr() and also do it before device_unregister().
Fixes: 0328947c5032 ("PCI: endpoint: Assign PCI domain number for endpoint controllers")
Signed-off-by: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20241107-epc_rfc-v2-1-da5b6a99a66f@xxxxxxxxxxx
[mani: reworded subject and description]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@xxxxxxxxxx>
Signed-off-by: Bjorn Helgaas <bhelgaas@xxxxxxxxxx>
Signed-off-by: Krzysztof Wilczyński <kwilczynski@xxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/pci/endpoint/pci-epc-core.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/pci/endpoint/pci-epc-core.c
+++ b/drivers/pci/endpoint/pci-epc-core.c
@@ -837,11 +837,10 @@ EXPORT_SYMBOL_GPL(pci_epc_bus_master_ena
void pci_epc_destroy(struct pci_epc *epc)
{
pci_ep_cfs_remove_epc_group(epc->group);
- device_unregister(&epc->dev);
-
#ifdef CONFIG_PCI_DOMAINS_GENERIC
- pci_bus_release_domain_nr(&epc->dev, epc->domain_nr);
+ pci_bus_release_domain_nr(epc->dev.parent, epc->domain_nr);
#endif
+ device_unregister(&epc->dev);
}
EXPORT_SYMBOL_GPL(pci_epc_destroy);
Patches currently in stable-queue which might be from quic_zijuhu@xxxxxxxxxxx are
queue-6.12/pci-endpoint-clear-secondary-not-primary-epc-in-pci_epc_remove_epf.patch
queue-6.12/pci-endpoint-fix-pci-domain-id-release-in-pci_epc_destroy.patch
